Professional Documents
Culture Documents
Safranidsec Whitepaper Digital Pin Issuance Sep16 PDF
Safranidsec Whitepaper Digital Pin Issuance Sep16 PDF
White Paper
Jerome Chavanel
Head of Product Marketing,
Instant eService at Safran Identity and Security
September 2016
Page | 1
1 INTRODUCTION
Worldwide migration to EMV is well engaged. Quite so. In Europe, Canada, Latin America,
Africa and Europe, more than 85% of card-present transactions are EMV based. Asia is a bit
behind with a honorable 40% but doubled the number of EMV transactions between 2014
and 2015; and even USA - where the EMV migration is just starting - the progression
between the last two years is per a factor 15. The huge EMV adoption is not pulled out of
thin air: it is the combination of efficient investment campaigns and superior technology.
Heavily promoting security, EMV card-present transaction is very concrete and an efficient
way to displace the fraud to other payment means. Authenticating the consumer – the
cardholder – is therefore one of the corner stones of this model and one of the most
convenient way to do so is to set-up a two factors authentication on the payment service:
something you own – the card – and something you know – a passphrase or a code.
While we are still waiting for other means providing the same levels of user-friendliness,
reliability and flexibility, the PIN code has taken the lion's share and remains thus far the
favored authentication means of the Issuing banks.
To ensure that our cathedral remains intact, PIN code distribution has been organized since
its origins in a very simple, strict and – surprisingly – identical worldwide manner: when the
card is leaving the factory, a counter is started and the PIN code is printed on a protected
sheet of paper two or three days later, before being shipped to the cardholder address. This
precaution is set-up to be sure that it is not possible to receive your card and your PIN code
at the same time in the mailbox. The type of paper may vary to ensure that when the user
receives the PIN mailer, he might detect any tampering with the mail, but all in all the process
is the same. Everywhere. In each and every location.
The thing is, banks have realized that if most of millennials are still happy to receive mails,
they do expect to do it from their e-mail accounts. Active users do not necessarily have the
time to use their new card in short enough notice to remember their codes. Seniors are
sometimes subjects to forgetting a four-digit code, specially when they have extensively used
cash. Banks are facing a hard point: meet increasing customers' expectations related to
service delivery while keeping the sturdiness and reliability that made the success of EMV
payment.
In the end one of the challenge faced by PIN issuance is the same than for any well-
oiled machine: how do you face change in an extremely security sensitive business?
One answer could be to consider alternative digital delivery channels to provide easier
access to PIN Codes.
Page | 2
Credit: EMVCo Worldwide EMV deployment Statistics
$$$$$$$$$$
$$$$$$$$$$
Around 500M€ per Year of potential global costs
savings*
Page | 3
Even if replacement of existing PIN issuance tools will consist in an initial investment like all
pure software based solution, the return on investment is guaranteed on the first year of
activity.
30€
x 1% x = +1,05
+1,05M€
3,5 Million card issued Average Annual fee
for card usage
M€
Of Additional Revenue
Page | 4
2.3 Provide Sustainable Services
According to the EPA*, paper accounts for more than half of total weight of all collected
recyclables in the United States. Globally, 339 millions of tons of paper are consumed each
year.
Most of the accounting firms advocates for paper reduction, as very significant improvement
in the quality and efficiency of their work. Being initial production of documents, copies or
mailing, the advantages of electronic document management systems vs. regular mail are
numerous. Documents can be linked electronically to a specific client, hardcopies and
associated costs are eliminated, misfiled documents are easily corrected, cost of unused
materials are saved, costs of mailing are saved, purchase and maintenance of all printing
and copying equipment is optimized and drastically reduced.
Reducing dependence on paper is good for the planet but also quite good for the bottom line.
Page | 5
Obviously those type of service delivery timeframes are not compatible with nowadays
expectations, let alone VIP services when people can have a card delivered on the spot in
some specific locations.
3 ALTERNATIVES
The challenges posed by regular PIN issuance have been addressed recently, through
several alternative delivery methods.
Page | 6
Those solutions enable the cardholder to choose the moment of the PIN issuance and as
they are following him, to deliver it at his chosen location as well.
Those solutions also work as an alternative for PIN reissuance – or reminder – playing their
role of life-saver in some occasions. Each of them is also accompanied by an adaptation of
security standards, making the whole set of solutions ready for market adoption.
Whatever the delivery method, it is now mandatory to be able to authenticate the user
through one mean or another. Authentication is generally done thanks to a One Time
Password, which has to be communicated beforehand to the cardholder. The PIN delivery
service provider has then in charge the authentication of this OTP before he grants PIN
delivery authorization.
In all cases, their core interest from security perspective is to be able to split card delivery
channel from PIN delivery channel, as well as making tampering more difficult or useless.
3.1 SMS
SMS is usually the start of digital PIN issuance methods. The benefits are numerous to use
SMS, the first one being the delivery target. As the SMS is delivered to a mobile phone, the
chances for it to remain unnoticed for a long time are extremely low. Just as a reminder, a
regular user is watching its smartphone at least 150 times per day. In the morning, the
likelihood to forget your home keys is bigger than the one that you forget your smartphone. It
makes this delivery channel one of the best choices for cardholder awareness of its PIN
delivery.
Customer identification is done through its mobile phone number; as mentioned, PIN delivery
has to follow user authentication. Authentication OTP can be provided beforehand through
any alternative channel like card carrier, IVR, web notification and sent to the digital PIN
delivery service through a prepaid SMS.
You can then be sure that the cardholder is:
From sheer security standpoint, the implementation of Flash SMS – a feature available
depending on mobile network operator equipment - can remove any risk of PIN code storage
since you can then delete the SMS as soon as it has been acknowledged.
Finally, even if unitary cost of SMS issuance is not null, it is still much more competitive than
an envelope with a stamp once the set-up costs have been met.
Page | 7
3.2 WEB Interface
Usually, distinction is done between the online banking delivery interface and the mobile
application delivery interface. Though there are subtleties as to which technical components
are provided in both cases, the general idea is strictly identical: the PIN delivery service can
be called either from a website or a mobile banking app.
The constraint with this delivery method is important, because internet connection is
obviously mandatory during the delivery process. It is then especially well adapted for
sedentary use cases – request from a personal computer or a tablet – or from a smartphone
connected to a reliable network.
Page | 8
4 SUMMARY
We have exposed the numerous benefits from choosing an alternative path to digital delivery
of PIN codes. Being for providing a better customer experience or improve business
efficiency, reduce risks or provide a more eco-friendly carbon balance, those solutions are all
providing significant gains for a minimal risk for the issuing banks. Providing the end-users
with the capability to manage their own PIN code to some extent improves business ROI,
provide better customer retention rate and offload call centers from the bank. As a wrap-up,
the benefits are listed below:
CREDITS
http://www.planetoscope.com/papier/379-consommation-mondiale-de-papier.html
https://www.quora.com/What-is-the-cost-of-an-average-call-center-call
http://news.bbc.co.uk/2/hi/technology/4183330.stm
https://www.emvco.com/documents/EMVCo_EMV_Deployment_Stats_2016.pdf
Page | 9
Safran Identity & Security
11, boulevard Gallieni – 92130 Issy-les-Moulineaux – France
Phone: +33 (0) 1 58 11 25 00 – www.safran-identity-security.com
Société anonyme au capital de 159.876.075 euros – 440 305 282 RCS Nanterre
Page | 1